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DETAILED ACTION 

1. Claims 1-11, 13, 15-17, 19-21, 23, and 24 are pending. 

2. A request for continued examination under 37 CFR 1.114, 
including the fee set forth in 37 CFR 1.17(e), was filed in this 
application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.114, and the 
fee set forth in 37 CFR 1.17(e) has been timely paid, the 
finality of the previous Office action has been withdrawn 
pursuant to 37 CFR 1.114. Applicant's submission filed on 
08/31/2006 has been entered. 



Claim Rejections - 35 USC §103 

3. The following is a quotation of 35 U.S.C. 103(a) which 
forms the basis for all obviousness rejections set forth in this 
Office action: 

(a) A patent may not be obtained though the invention is not identically 
disclosed or described as set forth in section 102 of this title, if the 
differences between the subject matter sought to be patented and the prior 
art are such that the subject matter as a whole would have been obvious at 
the time the invention was made to a person having ordinary skill in the 
art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

4. Claims 1-2, 10, 11, 13, 15-17, 19-21 are rejected under 35 



U.S.C. 103(a) as being unpatentable over I'Anson et al (EPO 
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0474932), further in view of Park (US 6363458), and further in 
view of Shanklin et al (US 6487666) . 

As per claims 1, and 19-21, I'Anson discloses identifying 
at least two valid states associated with the network protocol 
in which a first host system communicating with a second host 
system using the network protocol may be placed; defining at 
least one valid transition between a first state of the at least 
two valid states and a second state of the at least two valid 
states; determining that a connection under the network protocol 
is in the first state; analyzing the stream based at least in 
part on the determination that the connection under the network 
protocol is in a first state to determine whether the packet is 
associated with the at least one valid transition (see p. 3 
lines 22-39 and p. 4 lines 27-49) . 

I'Anson fails to disclose defining an invalid state with a 
plurality of transitions to the invalid state and expressing the 
at least one valid transition and the invalid transition in the 
form of a regular expression and using the regular expression to 
analyze the network protocol stream. 

However, Park teaches the use of an invalid state with a 
plurality of transitions to the invalid state (see column 7 line 
15 through column 8 line 41 and Figure 2a) and Shanklin et al . 
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teaches the use of regular expressions (see column 6 lines 39- 
57). 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use the invalid state 
with a plurality of transitions to the invalid state of Park and 
Shanklin et al's regular expressions defining all transitions to 
analyze the protocol of I'Anson. 

Motivation to do so would have been to invalidate requests 
and to recognize and evaluate identifiers, special symbols, or 
other tokens. 

As per claim 2, the modified I'Anson, Park, and Shanklin et 
al system discloses compiling the regular expression into 
computer code (see Shanklin et al column 6 lines 39-57). 

As per claims 10-11, the modified I'Anson, Park, and 
Shanklin et al system discloses keeping track of which of the at 
least two states the first host system currently is in and 
changing the tracked state of the first host system from the 
first of the at least two states to the second of the at least 
two states in the event the analysis of the network protocol 
stream indicates the at least one valid transition has taken 
place (see I'Anson p. 4 lines 27-49). 

As per claim 13, the modified I'Anson, Park, and Shanklin 
et al system discloses the invalid transition indicates that a 
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security-related event has taken or is taking place and defining 
a further state corresponding to the invalid operation (see p. 4 
lines 18-26 where the security related event is 'the intrusion of 
Shanklin et al as applied with Park) . 

As per claims 15-17, the modified I'Anson, Park, and 
Shanklin et al system discloses keeping track of which state, 
from the set comprising the at least two states and the further 
state, the first host system currently is in; and changing the 
state of the first host system to the further state in the event 
that the analysis of the network protocol stream indicates the 
invalid operation has taken place and in the event that the 
analysis of the network protocol stream indicates the invalid 
operation has taken place, an indication that the invalid 
operation has taken place then discontinuing analysis of the 
network protocol stream once the state of the first host system 
has 'been changed to the further state (see I 'Anson page 4). 
5. Claims 3-4. are rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson, Park, and Shanklin et al 
system as applied to claim 2 above, and further in view of 
Wijendran (AWK-to-C Translator) . 

As per claims 3-4, the modified I'Anson, Park, and Shanklin 
et al system fails to disclose the use of optimal C programming 
language code. 
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However, Wijendran teaches this optical C code (see page 

1) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Wijendran' s optical 
C code in the modified I'Anson, Park, and Shanklin et al system. 

Motivation to do so would have been to maximize runtime 
performance (see page 1) . 

6. Claim 5 is rejected under 35 U.S.C. 103(a) as being * 
unpatentable over the modified I'Anson, Park, and Shanklin et al 
system as applied to claim 2 above, and further in view of 
Mangione-Smith (How many vector registers are useful?) . 

As per claim 5, the modified I'Anson, Park, a'nd Shanklin et 
al system fails to disclose the use of nearly optimal computer 
code . 

However, Mangione-Smith teaches nearly optical code (see 
page 1 ) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Mangione-Smith' s 
nearly optical code in the modified I'Anson, Park, and Shanklin 
et al system. 

Motivation to do so would have been that nearly optimal 
code requires less vector registers (see page 1) . 
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7. Claims 6-9 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson, Park, and Shanklin et al 
system as applied to claim 1 above, and further in view of Blam 
(US 6467041) . 

As per claim 6, the modified I'Anson,' Park, and Shanklin et 
al system fails to disclose copying the stream to a third party 
to be analyzed. 

However, Blam teaches a third party analyzer (see column 6 
lines 5-29) . 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to use Blam' s third party 
analyzer to analyze the* protocol analyzer of the modified 
I'Anson, Park, and Shanklin et al system. 

Motivation to do so would have been to perform the analysis 
regardless of what resources are on the network or client (see 
column 6 lines 5-29) . 

As per claims 7-9, the modified I'Anson, Park, Shanklin et 
al system, and Blam system discloses the network protocol stream 
comprises packets of data, each packet being associated with a 
sequence number indicating its position relative to other 
packets in the protocol stream, and the third system reassembles 
the packets into the order indicated by the respective sequence 
numbers of the packets received where a copy of the network 
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protocol stream is maintained in the third system until analysis 
has been completed and in the event the packets are received by 
the third system in sequence number order, a copy is maintained 
in the third system only of those packets comprising the portion 
of the network protocol currently under analysis (see I'Anson 
pages 4-5 and Blam column 6 lines 5-29) . 

8. Claim 23 is rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I'Anson, Park, and Shanklin et al 
system as applied to claim 1 above, and further in view of Brown 
et al (US 6604075) . 

As per claim 23, the modified I'Anson, Park, and Shanklin 
et al system fails to disclose performing error handling that is 
specific for one of the plurality of invalid transitions. 

However, Brown et al teaches the error handling of a 
specific invalid state (see column 11 lines 9-18). 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to include error handling 
of a specific invalid state in the modified I'Anson, Park, and 
Shanklin et al system. 

Motivation to do so would have been that the error needs to 
be handled by an application or user with specific knowledge 
associated with the processing. 
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9. Claim 24 is rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified I' Anson, Park, and Shanklin et al 
system as applied to claim 1 above, and further in view of Oran 
(US 6275574) . 

As per claim 24, the modified I'Anson, Park, and Shanklin 
et al system fails to disclose grouping the regular expressions 
according to their similarity. 

However, Oran teaches such grouping (see column 8 lines 8- 

21). 

At the time of the invention it would have been obvious to 
a person of ordinary skill in the art to group the regular 
expressions of the modified I'Anson, Park, and Shanklin et al 
system. 

Motivation to do so would have been to define precedence 
for the regular expressions. 

Response to Arguments 

10. Applicant's arguments with respect to claims 1-11, 13, 15- 
17, 19-21, 23, and 24 have been considered but are moot in view 
of the new ground(s) of rejection. 
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Conclusion 



Any inquiry concerning this communication or earlier 
communications from the examiner should be directed to Michael 
Pyzocha whose telephone number is (571) 272-3875. The examiner 
can normally be reached on 7:00am - 4:30pm first Fridays of the 
bi-week off. 

If attempts to reach the examiner by telephone are 
unsuccessful, the examiner's supervisor, Emmanuel Moise can be 
reached on (571) 272-38655. The fax phone number for the 
organization where this application or proceeding is assigned is 
703-872-9306. 

Information regarding the status of an application may be 
obtained from the Patent Application Information Retrieval 
(PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through 
Private PAIR only. .For more information about the PAIR system, 
see http://pair-direct.uspto.gov. Should you have questions on 
access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free) . 



MJP 



ENfMAIWtL L. MOISE 
SUPERVISORY PATENT EXAMINER 
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